US20190289032A1 - Mitigation of ntp amplification and reflection based ddos attacks - Google Patents

Mitigation of ntp amplification and reflection based ddos attacks Download PDF

Info

Publication number
US20190289032A1
US20190289032A1 US15/925,662 US201815925662A US2019289032A1 US 20190289032 A1 US20190289032 A1 US 20190289032A1 US 201815925662 A US201815925662 A US 201815925662A US 2019289032 A1 US2019289032 A1 US 2019289032A1
Authority
US
United States
Prior art keywords
ntp
request
response
security device
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US15/925,662
Other versions
US10868828B2 (en
Inventor
Hemant Kumar Jain
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fortinet Inc
Original Assignee
Fortinet Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortinet Inc filed Critical Fortinet Inc
Priority to US15/925,662 priority Critical patent/US10868828B2/en
Assigned to FORTINET, INC. reassignment FORTINET, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JAIN, HEMANT KUMAR
Publication of US20190289032A1 publication Critical patent/US20190289032A1/en
Application granted granted Critical
Publication of US10868828B2 publication Critical patent/US10868828B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/28Timers or timing mechanisms used in protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • Embodiments of the present invention relate generally to mitigation of distributed denial of service (DDoS) attacks on Internet infrastructure specifically those using Network Time Protocol (NTP).
  • DDoS distributed denial of service
  • NTP Network Time Protocol
  • Amplification involves, sending a small packet to a server and getting back a much larger packet in response. If the server is open to receiving packets, it can be used to reflect spoofed attacks and send the responses back to a victim which had nothing to do with the original request. If the ratio of the response packet to the original small request packet is high, the amplification is considered high.
  • DNS Domain Name System
  • SSDP Simple Service Discovery Protocol
  • SNMP Simple Network Management Protocol
  • Portmap Portmap
  • SQL Structured Query Language
  • a tracking table is maintained by a network security device protecting a private network.
  • the tracking table contains information regarding network time protocol (NTP) requests originated by clients associated with the private network and observed by the network security device.
  • NTP network time protocol
  • An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device.
  • An NTP request flooding attack on the NTP server by the client is mitigated by the network security device by: (i) determining based on the tracking table whether a prior NTP request directed to the NTP server and for which an NTP response has yet to be received was sent by the client within a predetermined or configurable time period of the NTP request; and (ii) when said determining is affirmative, dropping the NTP request.
  • FIG. 1 illustrates an NTP reflection attack via an unsecured NTP server.
  • FIG. 2 illustrates the concept of amplification in NTP attacks.
  • FIG. 3 illustrates the primary components for NTP DDoS attack mitigation in accordance with an embodiment of the present invention.
  • FIG. 4 is a flow diagram illustrating a method of detecting and mitigating duplicate NTP requests from the same source IP address in accordance with an embodiment of the present invention.
  • FIG. 5 is a flow diagram illustrating a method of mitigating unsolicited NTP response floods in accordance with an embodiment of the present invention.
  • FIG. 6 illustrates an exemplary computer system in which or with which embodiments of the present invention may be utilized.
  • a DDoS attack mitigation module comprises an apparatus that classifies NTP packets and its parameters and validates the headers for anomalies. Another component of the mitigation includes a rate monitor for multiple parameters. According to another embodiment of the invention, a meter maintains and monitors for unsolicited NTP requests. Yet another component of the mitigation system consists of an NTP request/response matching system to mitigated unsolicited responses.
  • Embodiments of the present disclosure may be provided as a computer program product, which may include a machine-readable storage medium embodying thereon instructions, which may be used to program a computer (or other electronic devices) to perform a process.
  • the machine-readable medium may include, but is not limited to, fixed (hard) drives, magnetic tape, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs), and magneto-optical disks, semiconductor memories, such as ROMs, PROMs, random access memories (RAMs), programmable read-only memories (PROMs), erasable PROMs (EPROMs), electrically erasable PROMs (EEPROMs), flash memory, magnetic or optical cards, or other type of media/machine-readable medium suitable for storing electronic instructions (e.g., computer programming code, such as software or firmware).
  • Various methods described herein may be practiced by combining one or more machine-readable storage media containing the code according to the present disclosure with appropriate standard computer hardware to execute the code contained therein.
  • An apparatus for practicing various embodiments of the present disclosure may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the disclosure could be accomplished by modules, routines, subroutines, or subparts of a computer program product.
  • FIG. 1 illustrates an NTP reflection attack 100 in which an attacker 101 sends an unsolicited request to an unsecure NTP server 103 somewhere on the Internet 102 .
  • the request is spoofed (i.e., having a source IP address of a victim server 104 ) so that NTP server 103 thinks that it must send a response to victim server 104 .
  • victim server 104 can be overwhelmed with a distributed denial of service attack using the NTP protocol.
  • FIG. 2 illustrates an NTP amplification attack 200 in which an attacker 201 sends an unsolicited request to an unsecure NTP server 203 somewhere on the Internet 202 .
  • the request is a short packet (e.g., 64-bytes).
  • this request may ask NTP server 203 to respond with list of past requesters. If NTP server 203 responds to such requests due to its configuration, the response size can be as large as 13,184 bytes. Additionally, due to spoofing of the request, the server 203 thinks that it must send a response to a victim server 204 . Thus, a 64-byte packet causes a 13,184 bytes response directed to victim server 204 .
  • victim server 204 can be overwhelmed with an amplified distributed denial of service attack using the NTP protocol which can totally fill its Internet pipe denying service to legitimate users.
  • FIG. 3 illustrates the primary components to mitigate spoofed reflection and amplification NTP-based DDoS attacks in accordance with an embodiment of the present invention.
  • the primary mitigation components which may be implemented within a network security device 300 , such as a transparent gateway protecting a protected network, include an NIP Rate Anomaly Monitoring Engine 301 , an NIP Duplicate Request Prevention Engine 302 , an NTP Unsolicited Response Prevention Engine 303 and an NTP Unsolicited Request Mitigation Engine 304 , which may collectively be referred to as a NTP DDoS detection engine or module.
  • NTP Rate Anomaly Monitoring Engine 301 is easy to imagine for those having ordinary skill in the art and is not described here in details. Its purpose is to monitor the rates of NTP requests, responses and determine whether the rates are above normal established rates. When the rates are higher than normal it informs the other modules of this state so that they can take extraordinary actions.
  • NTP duplicate request prevention engine 302 determines whether a current NTP request is duplicative of an earlier NTP request observed by the transparent gateway, for example, by implementing the method described with reference to FIG. 4 (below).
  • NTP unsolicited response prevention engine 303 confirms an NTP response observed by the transparent gateway corresponds to an NTP request previously observed by the transparent gateway, for example, by implementing the method described with reference to FIG. 5 (below).
  • NTP unsolicited request prevention engine 304 tracks NTP requesters that have made NTP requests to an NTP server residing within a protected network by, for example, maintaining and using a data structure, for example, containing the information noted in Table 4 (below) to track legitimate requesters and limit responses to those legitimate requesters during an NTP request flood.
  • a client sends an NTP protocol packet to a server and records the time the packet left the client in the Origin Timestamp field (T1).
  • the server records the time the packet was received (T2).
  • the server then assembles a response packet with the original Origin Timestamp and the Receive Timestamp equal to the packet receive time.
  • the server sets the Transmit Timestamp to the time that the message is passed back toward the client (T3).
  • the client then records the time the packet arrived (T4), giving the client four time measurements, as shown in Table 1.
  • Table 2 depicts an exemplary NTP request and response packet according to the Network Time Protocol Version 4: Protocol and Algorithms Specification, Internet Engineering Task Force (IETF) Request for Comments (RFC) 5905, which is hereby incorporated by reference in its entirety for all purposes.
  • IETF Internet Engineering Task Force
  • RRC Request for Comments
  • NTP operates over the User Datagram Protocol (UDP).
  • UDP User Datagram Protocol
  • An NTP server listens for client NTP packets on UDP port 123.
  • the NTP server is stateless.
  • the server responds to each received client NTP packet in a simple transactional manner by adding fields to the received packet and passing the packet back to the original sender.
  • the key thing to note here is that the Mode field in Table 2 has a value of 3 when the client sends the request and 4 when the server sends a response.
  • a response should not be directed to a client if it never sent a request.
  • this fact is used to block unsolicited responses by maintaining a list of outgoing requests (e.g., those egressing a private network).
  • Such a scheme can be useful when the NTP client is inside a protected network and the NTP server is outside the protected network. That is, the NTP requests are outbound and the NTP responses are inbound.
  • software logic, hardware logic or a combination thereof is deployed between the client and server in the form of network security device (e.g., a transparent gateway) and is therefore a party to all communication between the clients and the servers that take place via the gateway.
  • Table 3 depicts an exemplary memory table for tracking the NTP requests and responses in an embodiment of this invention.
  • An NTP Client Source IP, Client Source Port and NTP Server destination IP uniquely identifies a request tuple for tracking purposes. Additional parameters viz. Mode and Timeout help timeout the entry after a certain time period so that the entry doesn't perpetually remain in the memory.
  • the entry is removed either when the gateway logic observes a matching response or when the timeout occurs without the server responding.
  • the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
  • LRU least recently used
  • a 3-tuple consisting of IP address, Source Port and the Destination IP can be converted to a hash using algorithms, including, but not limited to, Message Digest algorithm 5 (MD5), Secure Hash Algorithm (SHA) (e.g., SHA-1, SHA-2, SHA-3, SHA-256, SHA-512), Cyclic Redundancy Check (CRC) (e.g., CRC32).
  • MD5 Message Digest algorithm 5
  • SHA Secure Hash Algorithm
  • CRC Cyclic Redundancy Check
  • the depth of this table depends on the number of bits in the hash. For example, if the hash has 20 bits, the table can have 1 M entries.
  • This 3-tuple is used to index and thus search for an incoming tuple to perform a duplicate check or an absence check.
  • FIG. 4 is a flow diagram illustrating a method of processing an NTP request in accordance with an embodiment of the present invention.
  • an NTP request packet is received from a Source IP address, with a Source UDP port and with a Destination IP address.
  • this 3-tuple is used to find the presence of an existing entry in an NTP request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above).
  • the 3-tuple is already present in the table at block 405 , it means a request associated with this 3-tuple has already been observed and this duplicate request may represent a possible attack or misbehavior from a client. This ensures that any single IP address cannot send consecutive NTP requests to the same NTP sever too soon (e.g., within a predefined and/or configurable time period) when a request is already pending. This avoids scripted attacks which simply flood an NTP server with requests one after another.
  • NTP requests may be discarded and not allowed to reach the destination NTP server by block 406 .
  • FIG. 5 is a flow diagram illustrating a method of processing an NTP response in accordance with an embodiment of the present invention.
  • an NTP response packet is received from a Source IP address, with a Source UDP port and with a Destination IP address.
  • this 3-tuple is used to find the presence of an existing entry an NPT request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above).
  • an NPT request and response tracking table e.g., the NTP request/response matching table of Table 3 described above.
  • the 3-tuple When the 3-tuple is already present in the table at block 506 , it means a request has been observed traversing the gateway. Therefore, the corresponding response is allowed to pass through and the entry is deleted from the NTP request and response tracking table.
  • Table 4 depicts an exemplary memory table for tracking NTP requesters in an embodiment of this invention.
  • a protected NTP server e.g., one residing within a protected network protected by a transparent gateway implementing the DDoS mitigation techniques described herein
  • responds positively to an NTP Client Source IP an entry is added to this table for that source IP.
  • These source IPs are considered legitimate requesters.
  • the entry is removed when a timeout occurs, the timeout being controlled by a setting by the administrator.
  • the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
  • LRU least recently used
  • Table 4 The purpose of Table 4 is to let only legitimate IP addresses issue NTP requests during a period when too many requests are being seen by the gateway. That is during an NTP request flood. This reduces the load on the NTP server by a scheme of selection.
  • the threshold for such number of requests may be set behaviorally based on past data by Rate Anomaly Monitoring Engine 301 . This scheme allows the gateway to restrict un-solicited NTP requests during an NTP request flood.
  • FIG. 6 is an exemplary computer system in which or with which embodiments of the present invention may be utilized.
  • computer system 600 represents a network security device (e.g., network security device 300 , such as a transparent gateway) that, among other things, performs NTP request and response processing to detect and mitigate NTP request and/or response flooding.
  • network security device 300 e.g., network security device 300 , such as a transparent gateway
  • NTP request and response processing to detect and mitigate NTP request and/or response flooding.
  • Embodiments of the present disclosure include various steps, which have been described above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware.
  • computer system 600 includes an external storage device 610 , a bus 620 , a main memory 630 , a read only memory 640 , amass storage device 650 , communication port 660 , and a processor 670 .
  • computer system 600 may include more than one processor and communication ports.
  • processor 670 examples include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOCTM system on a chip processors or other future processors.
  • Processor 670 may include various modules associated with embodiments of the present invention.
  • Communication port 660 can be any of an RS-232 port for use with a modem based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports.
  • Communication port 660 may be chosen depending on a network, such a Local Area Network (LAN), Wide Area Network (WAN), or any network to which computer system 600 connects.
  • LAN Local Area Network
  • WAN Wide Area Network
  • Memory 630 can be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art.
  • Read only memory 640 can be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chips for storing static information e.g., start-up or BIOS instructions for processor 670 .
  • PROM Programmable Read Only Memory
  • Mass storage 650 may be any current or future mass storage solution, which can be used to store information and/or instructions.
  • Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces), e.g. those available from Seagate (e.g., the Seagate Barracuda 7200 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000), one or more optical discs, Redundant Array of Independent Disks (RAID) storage, e.g. an array of disks (e.g., SATA arrays), available from various vendors including Dot Hill Systems Corp., LaCie, Nexsan Technologies, Inc. and Enhance Technology, Inc.
  • PATA Parallel Advanced Technology Attachment
  • SATA Serial Advanced Technology Attachment
  • SSD Universal Serial Bus
  • Firewire interfaces e.g.,
  • Bus 620 communicatively couples processor(s) 670 with the other memory, storage and communication blocks.
  • Bus 620 can be, e.g. a Peripheral Component Interconnect (PCI)/PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), USB or the like, for connecting expansion cards, drives and other subsystems as well as other buses, such a front side bus (FSB), which connects processor 670 to software system.
  • PCI Peripheral Component Interconnect
  • PCI-X PCI Extended
  • SCSI Small Computer System Interface
  • FFB front side bus
  • operator and administrative interfaces e.g. a display, keyboard, and a cursor control device, may also be coupled to bus 620 to support direct operator interaction with computer system 600 .
  • Other operator and administrative interfaces (not shown) can be provided through network connections connected through communication port 610 .
  • External storage device 640 can be any kind of external hard-drives, floppy drives, IOMEGA® Zip Drives, Compact Disc-Read Only Memory (CD-ROM), Compact Disc-Re-Writable (CD-RW), Digital Video Disk-Read Only Memory (DVD-ROM). Components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system limit the scope of the present disclosure.
  • any digital computer systems can be configured or otherwise programmed to implement the methods and apparatuses disclosed herein, and to the extent that a particular digital computer system is configured to implement the methods and apparatuses of this invention, it is within the scope and spirit of the present invention.
  • a digital computer system is programmed to perform particular functions pursuant to computer-executable instructions from program software that implements the present invention, it in effect becomes a special purpose computer particular to the present invention.
  • the techniques necessary to achieve this are well known to those skilled in the art and thus are not further described herein.
  • Computer executable instructions implementing the methods and techniques of the present invention can be distributed to users on a computer-readable medium and are often copied onto a hard disk or other storage medium. When such a program of instructions is to be executed, it is usually loaded into the random access memory of the computer, thereby configuring the computer to act in accordance with the techniques disclosed herein. All these operations are well known to those skilled in the art and thus are not further described herein.
  • the term “computer-readable medium” encompasses distribution media, intermediate storage media, execution memory of a computer, and any other medium or device capable of storing for later reading by a computer a computer program implementing the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Systems and methods for mitigating DDoS attacks utilizing NTP are provided. According to one embodiment, a tracking table is maintained by a network security device protecting a private network. The tracking table contains information regarding NTP requests originated by clients of the private network and observed by the network security device. An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device. An NTP request flooding attack on the NTP server by the first client is mitigated by the network security device by: (i) determining based on the tracking table whether a prior NTP request directed to the NTP server and for which an NTP response has yet to be received was sent by the client within a predetermined or configurable time period of the NTP request; and (ii) when said determining is affirmative, dropping the NTP request.

Description

    CROSS-REFERENCE TO RELATED PATENTS
  • This application may relate to the subject matter of U.S. Pat. No. 7,426,634 entitled, “Method and apparatus for rate based denial of service attack detection and prevention”, U.S. Pat. No. 7,602,731 entitled “System and method for integrated header, state, rate and content anomaly prevention with policy enforcement”, U.S. Pat. No. 7,626,940 entitled “System and method for integrated header, state, rate and content anomaly prevention for domain name service”, and U.S. Pat. No. 9,729,509 entitled “System and Method for Integrated Header, State, Rate and Content Anomaly Prevention for Session Initiation Protocol” all of which are hereby incorporated by reference in their entirety for all purposes.
    • COPYRIGHT NOTICE
  • Contained herein is material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction of the patent disclosure by any person as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights to the copyright whatsoever. Copyright 2018, Fortinet, Inc.
    • FIELD
  • Embodiments of the present invention relate generally to mitigation of distributed denial of service (DDoS) attacks on Internet infrastructure specifically those using Network Time Protocol (NTP).
    • DESCRIPTION OF THE BACKGROUND ART
  • Based on industry surveys and published data, amplification based DDoS attacks have been growing. Amplification involves, sending a small packet to a server and getting back a much larger packet in response. If the server is open to receiving packets, it can be used to reflect spoofed attacks and send the responses back to a victim which had nothing to do with the original request. If the ratio of the response packet to the original small request packet is high, the amplification is considered high.
  • Common protocols which are used for reflection, include, but are not limited to, Domain Name System (DNS), NTP, Chargen, Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP), Portmap, and Structured Query Language (SQL).
  • When an NTP reflection attack is launched against a server it gets a barrage of packets from random sources. On this victim network, it is difficult to differentiate between which is a legitimate request or a legitimate response and therefore appliances such as firewall or Intrusion Prevention System (IPS) appliances cannot stop such attacks easily. That's because the requests or the responses on their own may sometimes be perfectly legitimate in structure according to the standards of the protocol. Clearly, a new method is needed to differentiate legitimate requests and responses from the attack packets. The purpose of such differentiation is important to isolate and sift such packets and protect the servers while allowing legitimate packets to go through.
    • SUMMARY
  • Systems and methods are described for stateful inspection of NTP requests and responses to mitigate DDoS attacks. According to one embodiment, a tracking table is maintained by a network security device protecting a private network. The tracking table contains information regarding network time protocol (NTP) requests originated by clients associated with the private network and observed by the network security device. An NTP request sent from a client to an NTP server external to the private network is intercepted by the network security device. An NTP request flooding attack on the NTP server by the client is mitigated by the network security device by: (i) determining based on the tracking table whether a prior NTP request directed to the NTP server and for which an NTP response has yet to be received was sent by the client within a predetermined or configurable time period of the NTP request; and (ii) when said determining is affirmative, dropping the NTP request.
  • Other features of embodiments of the present disclosure will be apparent from accompanying drawings and from detailed description that follows.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an NTP reflection attack via an unsecured NTP server.
  • FIG. 2 illustrates the concept of amplification in NTP attacks.
  • FIG. 3 illustrates the primary components for NTP DDoS attack mitigation in accordance with an embodiment of the present invention.
  • FIG. 4 is a flow diagram illustrating a method of detecting and mitigating duplicate NTP requests from the same source IP address in accordance with an embodiment of the present invention.
  • FIG. 5 is a flow diagram illustrating a method of mitigating unsolicited NTP response floods in accordance with an embodiment of the present invention.
  • FIG. 6 illustrates an exemplary computer system in which or with which embodiments of the present invention may be utilized.
    •  DETAILED DESCRIPTION
  • Systems and methods are described for mitigating DDoS attacks utilizing Network Time Protocol (NTP). According to one embodiment, a DDoS attack mitigation module comprises an apparatus that classifies NTP packets and its parameters and validates the headers for anomalies. Another component of the mitigation includes a rate monitor for multiple parameters. According to another embodiment of the invention, a meter maintains and monitors for unsolicited NTP requests. Yet another component of the mitigation system consists of an NTP request/response matching system to mitigated unsolicited responses.
  • Embodiments of the present disclosure may be provided as a computer program product, which may include a machine-readable storage medium embodying thereon instructions, which may be used to program a computer (or other electronic devices) to perform a process. The machine-readable medium may include, but is not limited to, fixed (hard) drives, magnetic tape, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs), and magneto-optical disks, semiconductor memories, such as ROMs, PROMs, random access memories (RAMs), programmable read-only memories (PROMs), erasable PROMs (EPROMs), electrically erasable PROMs (EEPROMs), flash memory, magnetic or optical cards, or other type of media/machine-readable medium suitable for storing electronic instructions (e.g., computer programming code, such as software or firmware).
  • Various methods described herein may be practiced by combining one or more machine-readable storage media containing the code according to the present disclosure with appropriate standard computer hardware to execute the code contained therein. An apparatus for practicing various embodiments of the present disclosure may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the disclosure could be accomplished by modules, routines, subroutines, or subparts of a computer program product.
  • FIG. 1 illustrates an NTP reflection attack 100 in which an attacker 101 sends an unsolicited request to an unsecure NTP server 103 somewhere on the Internet 102. The request is spoofed (i.e., having a source IP address of a victim server 104) so that NTP server 103 thinks that it must send a response to victim server 104. When a multitude of such requests reach NTP server 103 from multiple compromised attackers or spoofing attackers, victim server 104 can be overwhelmed with a distributed denial of service attack using the NTP protocol.
  • FIG. 2 illustrates an NTP amplification attack 200 in which an attacker 201 sends an unsolicited request to an unsecure NTP server 203 somewhere on the Internet 202. The request is a short packet (e.g., 64-bytes). In an exemplary situation, this request may ask NTP server 203 to respond with list of past requesters. If NTP server 203 responds to such requests due to its configuration, the response size can be as large as 13,184 bytes. Additionally, due to spoofing of the request, the server 203 thinks that it must send a response to a victim server 204. Thus, a 64-byte packet causes a 13,184 bytes response directed to victim server 204. When a multitude of such requests reach NTP server 203 from multiple compromised attackers or spoofing attackers, victim server 204 can be overwhelmed with an amplified distributed denial of service attack using the NTP protocol which can totally fill its Internet pipe denying service to legitimate users.
  • FIG. 3 illustrates the primary components to mitigate spoofed reflection and amplification NTP-based DDoS attacks in accordance with an embodiment of the present invention. In the context of the present example, the primary mitigation components, which may be implemented within a network security device 300, such as a transparent gateway protecting a protected network, include an NIP Rate Anomaly Monitoring Engine 301, an NIP Duplicate Request Prevention Engine 302, an NTP Unsolicited Response Prevention Engine 303 and an NTP Unsolicited Request Mitigation Engine 304, which may collectively be referred to as a NTP DDoS detection engine or module.
  • NTP Rate Anomaly Monitoring Engine 301 is easy to imagine for those having ordinary skill in the art and is not described here in details. Its purpose is to monitor the rates of NTP requests, responses and determine whether the rates are above normal established rates. When the rates are higher than normal it informs the other modules of this state so that they can take extraordinary actions.
  • According to one embodiment NTP duplicate request prevention engine 302 determines whether a current NTP request is duplicative of an earlier NTP request observed by the transparent gateway, for example, by implementing the method described with reference to FIG. 4 (below).
  • According to one embodiment, NTP unsolicited response prevention engine 303 confirms an NTP response observed by the transparent gateway corresponds to an NTP request previously observed by the transparent gateway, for example, by implementing the method described with reference to FIG. 5 (below).
  • According to one embodiment, NTP unsolicited request prevention engine 304 tracks NTP requesters that have made NTP requests to an NTP server residing within a protected network by, for example, maintaining and using a data structure, for example, containing the information noted in Table 4 (below) to track legitimate requesters and limit responses to those legitimate requesters during an NTP request flood.
  • In an exemplary situation, a client sends an NTP protocol packet to a server and records the time the packet left the client in the Origin Timestamp field (T1). The server records the time the packet was received (T2). The server then assembles a response packet with the original Origin Timestamp and the Receive Timestamp equal to the packet receive time. The server sets the Transmit Timestamp to the time that the message is passed back toward the client (T3). The client then records the time the packet arrived (T4), giving the client four time measurements, as shown in Table 1. These four parameters are passed into the client timekeeping function to drive a clock synchronization function, which is described in further detail below.
  • TABLE 1
    Key Timestamps in NTP
    Timestamp Name ID Generated at
    Origin T1 Time request
    Timestamp sent by the
    client
    Receive T2 Time request
    Timestamp received by the
    server
    Transmit T3 Time reply sent
    Timestamp by the server
    Destination T4 Time reply
    Timestamp received by the
    client.
  • Table 2 (below) depicts an exemplary NTP request and response packet according to the Network Time Protocol Version 4: Protocol and Algorithms Specification, Internet Engineering Task Force (IETF) Request for Comments (RFC) 5905, which is hereby incorporated by reference in its entirety for all purposes.
  • TABLE 2
    Structure of NTP Request and Response Packets
    LI VN Mode Stratum Poll Precision
    Root Delay
    Root Dispersion
    Reference Identifier
    Reference Timestamp (64)
    Origin Timestamp (64)
    Receive Timestamp (64)
    Transmit Timestamp (64)
    Optional Extension Field 1 (variable)
    Optional Extension Field 2 (variable)
    Optional Key/Algorithm Identifier (32)
    Optional Message Digest (128)
  • NTP operates over the User Datagram Protocol (UDP). An NTP server listens for client NTP packets on UDP port 123. The NTP server is stateless. The server responds to each received client NTP packet in a simple transactional manner by adding fields to the received packet and passing the packet back to the original sender. The key thing to note here is that the Mode field in Table 2 has a value of 3 when the client sends the request and 4 when the server sends a response. A response should not be directed to a client if it never sent a request. In an embodiment of this invention, this fact is used to block unsolicited responses by maintaining a list of outgoing requests (e.g., those egressing a private network). Such a scheme can be useful when the NTP client is inside a protected network and the NTP server is outside the protected network. That is, the NTP requests are outbound and the NTP responses are inbound. In an embodiment of this invention, software logic, hardware logic or a combination thereof is deployed between the client and server in the form of network security device (e.g., a transparent gateway) and is therefore a party to all communication between the clients and the servers that take place via the gateway.
  • Table 3 (below) depicts an exemplary memory table for tracking the NTP requests and responses in an embodiment of this invention. An NTP Client Source IP, Client Source Port and NTP Server destination IP uniquely identifies a request tuple for tracking purposes. Additional parameters viz. Mode and Timeout help timeout the entry after a certain time period so that the entry doesn't perpetually remain in the memory. In one embodiment, the entry is removed either when the gateway logic observes a matching response or when the timeout occurs without the server responding. In yet another embodiment, the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
  • TABLE 3
    NTP Request/Response Matching Table
    Client Client Server
    IP Source Destination
    Index Address Port IP Timeout
    0 a.b.c.d x x t
    1 :
    : :
    : :
    : :
    : :
    : :
    2{circumflex over ( )}n :
  • The hardware implementation of such tables is well known to those in the art and therefore is not described here for brevity and may be implemented using schemes such as hash-based addressing using a large dynamic random access memory (DRAM). Since IP addresses can be 32-bits and 128-bits wide, but the table depth is limited to 2{circumflex over ( )}n available spaces—as shown in Table 3, a hash based scheme is known to work well.
  • According to an embodiment of this invention, a 3-tuple consisting of IP address, Source Port and the Destination IP can be converted to a hash using algorithms, including, but not limited to, Message Digest algorithm 5 (MD5), Secure Hash Algorithm (SHA) (e.g., SHA-1, SHA-2, SHA-3, SHA-256, SHA-512), Cyclic Redundancy Check (CRC) (e.g., CRC32). The depth of this table depends on the number of bits in the hash. For example, if the hash has 20 bits, the table can have 1 M entries. This 3-tuple is used to index and thus search for an incoming tuple to perform a duplicate check or an absence check.
  • FIG. 4 is a flow diagram illustrating a method of processing an NTP request in accordance with an embodiment of the present invention.
  • At block 401, an NTP request packet is received from a Source IP address, with a Source UDP port and with a Destination IP address.
  • At block 402, this 3-tuple is used to find the presence of an existing entry in an NTP request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above).
  • At block 403, if the 3-tuple does not exist in the table, a new entry is created at block 404.
  • If the 3-tuple is already present in the table at block 405, it means a request associated with this 3-tuple has already been observed and this duplicate request may represent a possible attack or misbehavior from a client. This ensures that any single IP address cannot send consecutive NTP requests to the same NTP sever too soon (e.g., within a predefined and/or configurable time period) when a request is already pending. This avoids scripted attacks which simply flood an NTP server with requests one after another.
  • Depending on the administrator's choice, such NTP requests may be discarded and not allowed to reach the destination NTP server by block 406.
  • FIG. 5 is a flow diagram illustrating a method of processing an NTP response in accordance with an embodiment of the present invention.
  • At block 501, an NTP response packet is received from a Source IP address, with a Source UDP port and with a Destination IP address.
  • At block 502, this 3-tuple is used to find the presence of an existing entry an NPT request and response tracking table (e.g., the NTP request/response matching table of Table 3 described above).
  • At block 503, if the 3-tuple does not exist in the table, it implies a possible reflection attack since no request was observed by the gateway. Such a response thus can be optionally dropped at block 505 by the gateway depending on the administrator's choice.
  • When the 3-tuple is already present in the table at block 506, it means a request has been observed traversing the gateway. Therefore, the corresponding response is allowed to pass through and the entry is deleted from the NTP request and response tracking table.
  • Table 4 (below) depicts an exemplary memory table for tracking NTP requesters in an embodiment of this invention. When a protected NTP server (e.g., one residing within a protected network protected by a transparent gateway implementing the DDoS mitigation techniques described herein) responds positively to an NTP Client Source IP, an entry is added to this table for that source IP. These source IPs are considered legitimate requesters. In one embodiment, the entry is removed when a timeout occurs, the timeout being controlled by a setting by the administrator. In yet another embodiment, the logic may age out and eject an entry if there is memory overflow to protect the memory based on some logic well known to those in the art such as least recently used (LRU) to make way for a new entry.
  • TABLE 4
    Legitimate NTP Requester IP Tracking Table
    Client IP
    Index Address Timeout
    0 a.b.c.d t
    1 : :
    : : :
    : : :
    : : :
    : : :
    : : :
    2{circumflex over ( )}n : :
  • The purpose of Table 4 is to let only legitimate IP addresses issue NTP requests during a period when too many requests are being seen by the gateway. That is during an NTP request flood. This reduces the load on the NTP server by a scheme of selection. The threshold for such number of requests may be set behaviorally based on past data by Rate Anomaly Monitoring Engine 301. This scheme allows the gateway to restrict un-solicited NTP requests during an NTP request flood.
  • FIG. 6 is an exemplary computer system in which or with which embodiments of the present invention may be utilized. In an embodiment, computer system 600 represents a network security device (e.g., network security device 300, such as a transparent gateway) that, among other things, performs NTP request and response processing to detect and mitigate NTP request and/or response flooding. Embodiments of the present disclosure include various steps, which have been described above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware.
  • As shown in the figure, computer system 600 includes an external storage device 610, a bus 620, a main memory 630, a read only memory 640, amass storage device 650, communication port 660, and a processor 670. Those skilled in the art appreciate that computer system 600 may include more than one processor and communication ports.
  • Examples of processor 670 include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOC™ system on a chip processors or other future processors. Processor 670 may include various modules associated with embodiments of the present invention.
  • Communication port 660 can be any of an RS-232 port for use with a modem based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports. Communication port 660 may be chosen depending on a network, such a Local Area Network (LAN), Wide Area Network (WAN), or any network to which computer system 600 connects.
  • Memory 630 can be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art. Read only memory 640 can be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chips for storing static information e.g., start-up or BIOS instructions for processor 670.
  • Mass storage 650 may be any current or future mass storage solution, which can be used to store information and/or instructions. Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces), e.g. those available from Seagate (e.g., the Seagate Barracuda 7200 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000), one or more optical discs, Redundant Array of Independent Disks (RAID) storage, e.g. an array of disks (e.g., SATA arrays), available from various vendors including Dot Hill Systems Corp., LaCie, Nexsan Technologies, Inc. and Enhance Technology, Inc.
  • Bus 620 communicatively couples processor(s) 670 with the other memory, storage and communication blocks. Bus 620 can be, e.g. a Peripheral Component Interconnect (PCI)/PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), USB or the like, for connecting expansion cards, drives and other subsystems as well as other buses, such a front side bus (FSB), which connects processor 670 to software system. Optionally, operator and administrative interfaces, e.g. a display, keyboard, and a cursor control device, may also be coupled to bus 620 to support direct operator interaction with computer system 600. Other operator and administrative interfaces (not shown) can be provided through network connections connected through communication port 610.
  • External storage device 640 can be any kind of external hard-drives, floppy drives, IOMEGA® Zip Drives, Compact Disc-Read Only Memory (CD-ROM), Compact Disc-Re-Writable (CD-RW), Digital Video Disk-Read Only Memory (DVD-ROM). Components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system limit the scope of the present disclosure.
  • Although embodiments of the present invention and their various advantages have been described in detail, it should be understood that the present invention is not limited to or defined by what is shown or discussed herein.
  • Moreover, as one skilled in the art will appreciate, any digital computer systems can be configured or otherwise programmed to implement the methods and apparatuses disclosed herein, and to the extent that a particular digital computer system is configured to implement the methods and apparatuses of this invention, it is within the scope and spirit of the present invention. Once a digital computer system is programmed to perform particular functions pursuant to computer-executable instructions from program software that implements the present invention, it in effect becomes a special purpose computer particular to the present invention. The techniques necessary to achieve this are well known to those skilled in the art and thus are not further described herein.
  • Computer executable instructions implementing the methods and techniques of the present invention can be distributed to users on a computer-readable medium and are often copied onto a hard disk or other storage medium. When such a program of instructions is to be executed, it is usually loaded into the random access memory of the computer, thereby configuring the computer to act in accordance with the techniques disclosed herein. All these operations are well known to those skilled in the art and thus are not further described herein. The term “computer-readable medium” encompasses distribution media, intermediate storage media, execution memory of a computer, and any other medium or device capable of storing for later reading by a computer a computer program implementing the present invention.
  • Accordingly, drawings, tables, and description disclosed herein illustrate technologies related to the invention, show examples of the invention, and provide examples of using the invention and are not to be construed as limiting the present invention. Known methods, techniques, or systems may be discussed without giving details, so to avoid obscuring the principles of the invention. As it will be appreciated by one of ordinary skill in the art, the present invention can be implemented, modified, or otherwise altered without departing from the principles and spirit of the present invention. Therefore, the scope of the present invention should be determined by the following claims and their legal equivalents.

Claims (16)

What is claimed is:
1. A method comprising:
maintaining, by a network security device protecting a private network, a tracking table containing information regarding network time protocol (NTP) requests originated by any of a plurality of clients associated with the private network and observed by the network security device;
intercepting, by the network security device, an NTP request sent from a first client of the plurality of clients to a first NTP server external to the private network;
mitigating, by the network security device, an NTP request flooding attack on the first NTP server by the first client by:
determining based on the tracking table whether a prior NTP request directed to the first NTP server and for which an NTP response has yet to be received was sent by the first client within a predetermined or configurable time period of the NTP request; and
when said determining is affirmative, dropping the NTP request.
2. The method of claim 1 further comprising when said determining is negative, allowing the NTP request to be transmitted to the first NTP server.
3. The method of claim 1, wherein said maintaining, by a network security device protecting a private network, a tracking table further comprises for each observed NTP request of the observed NTP requests, storing, by the network security device, a hash value of a 3-tuple of the observed NTP request, wherein the 3-tuple includes a source internet protocol (IP) address, a source port and a destination IP address the tracking table.
4. The method of claim 3, wherein said determining based on the tracking table whether a prior NTP request directed to the first NTP server and for which an NTP response has yet to be received was sent by the first client within a predetermined or configurable time period of the NTP request comprises determining whether a 3-tuple of the NTP request is already in the tracking table.
5. The method of claim 4, further comprising:
when said determining whether a 3-tuple of the NTP request is already in the tracking table is negative, then adding, by the network security device, the 3-tuple of the NTP request to the tracking table; and
removing, by the network security device, the 3-tuple of the NTP request from the tracking table when an NTP response to the NTP request is observed by the network security device or responsive to the 3-tuple of the NTP request having been in the table for greater than or equal to the predetermined or configurable time period.
6. The method of claim 1, further comprising mitigating, by the network security device, an NTP response flooding attack on the protected network by:
intercepting an NTP response from the first NTP server or a second NTP server to the first client or a second client of the plurality of clients;
determining whether the NTP response is an unsolicited NTP response based on existence or non-existence of a matching NTP request in the tracking table;
when said determining whether the NTP response is an unsolicited NTP response is affirmative, then dropping, by the network security device, the unsolicited NTP response; and
when said determining whether the NTP response is an unsolicited NTP response is negative, then allowing, by the network security device, the NTP response to be transmitted to its destination.
7. The method of claim 6, further comprising:
maintaining, by the network security device, a legitimate NTP requester table; and
allowing, by the network security device, the NTP request if an originating client of the NTP request is in the legitimate NTP requester table during an NTP request flood; and
dropping, by the network security device, the NTP request if the originating client of the NTP request is not in the legitimate NTP requester table during the NTP request flood.
8. The method of claim 7, further comprising when a legitimate NTP response to the originating client is allowed, then adding, by the network security device, the originating client to the legitimate NTP requester table.
9. A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device protecting a private network perform a method comprising:
maintaining a tracking table containing information regarding network time protocol (NTP) requests originated by any of a plurality of clients associated with the private network and observed by the network security device;
intercepting an NTP request sent from a first client of the plurality of clients to a first NTP server external to the private network;
mitigating, by the network security device, an NTP request flooding attack on the first NTP server by the first client by:
determining based on the tracking table whether a prior NTP request directed to the first NTP server and for which an NTP response has yet to be received was sent by the first client within a predetermined or configurable time period of the NTP request; and
when said determining is affirmative, dropping the NTP request.
10. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises when said determining is negative, allowing the NTP request to be transmitted to the first NTP server.
11. The non-transitory computer-readable storage medium of claim 9, wherein said maintaining a tracking table further comprises for each observed NTP request of the observed NTP requests, storing a hash value of a 3-tuple of the observed NTP request, wherein the 3-tuple includes a source internet protocol (IP) address, a source port and a destination IP address the tracking table.
12. The non-transitory computer-readable storage medium of claim 11, wherein said determining based on the tracking table whether a prior NTP request directed to the first NTP server and for which an NTP response has yet to be received was sent by the first client within a predetermined or configurable time period of the NTP request comprises determining whether a 3-tuple of the NTP request is already in the tracking table.
13. The non-transitory computer-readable storage medium of claim 12, wherein the method further comprises:
when said determining whether a 3-tuple of the NTP request is already in the tracking table is negative, then adding the 3-tuple of the NTP request to the tracking table; and
removing the 3-tuple of the NTP request from the tracking table when an NTP response to the NTP request is observed by the network security device or responsive to the 3-tuple of the NTP request having been in the table for greater than or equal to the predetermined or configurable time period.
14. The non-transitory computer-readable storage medium of claim 9, wherein the method further comprises mitigating an NTP response flooding attack on the protected network by:
intercepting an NTP response from the first NTP server or a second NTP server to the first client or a second client of the plurality of clients;
determining whether the NTP response is an unsolicited NTP response based on existence or non-existence of a matching NTP request in the tracking table;
when said determining whether the NTP response is an unsolicited NTP response is affirmative, then dropping the unsolicited NTP response; and
when said determining whether the NTP response is an unsolicited NTP response is negative, then allowing the NTP response to be transmitted to its destination.
15. The non-transitory computer-readable storage medium of claim 14, wherein the method further comprises:
maintaining a legitimate NTP requester table; and
allowing the NTP request if an originating client of the NTP request is in the legitimate NTP requester table during an NTP request flood; and
dropping the NTP request if the originating client of the NTP request is not in the legitimate NTP requester table during the NTP request flood.
16. The non-transitory computer-readable storage medium of claim 15, wherein the method further comprises when a legitimate NTP response to the originating client is allowed, then adding the originating client to the legitimate NIP requester table.
US15/925,662 2018-03-19 2018-03-19 Mitigation of NTP amplification and reflection based DDoS attacks Active 2038-10-29 US10868828B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/925,662 US10868828B2 (en) 2018-03-19 2018-03-19 Mitigation of NTP amplification and reflection based DDoS attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/925,662 US10868828B2 (en) 2018-03-19 2018-03-19 Mitigation of NTP amplification and reflection based DDoS attacks

Publications (2)

Publication Number Publication Date
US20190289032A1 true US20190289032A1 (en) 2019-09-19
US10868828B2 US10868828B2 (en) 2020-12-15

Family

ID=67906356

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/925,662 Active 2038-10-29 US10868828B2 (en) 2018-03-19 2018-03-19 Mitigation of NTP amplification and reflection based DDoS attacks

Country Status (1)

Country Link
US (1) US10868828B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615870A (en) * 2020-12-22 2021-04-06 北京天融信网络安全技术有限公司 Method and device for detecting attack behavior based on NTP message data
CN112953956A (en) * 2021-03-05 2021-06-11 中电积至(海南)信息技术有限公司 Reflection amplifier identification method based on active and passive combination

Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030145231A1 (en) * 2002-01-31 2003-07-31 Poletto Massimiliano Antonio Architecture to thwart denial of service attacks
US20040095926A1 (en) * 2002-10-25 2004-05-20 General Instrument Corporation Method for monitoring performance of network using IP measurement protocol packets
US20070268938A1 (en) * 2006-05-19 2007-11-22 Dowd Gregory Louis Network time protocol precision timestamping service
US7339886B2 (en) * 2002-08-16 2008-03-04 Lg Electronics, Inc. System and method for synchronizing SGSNs and a GGSN
US20080109891A1 (en) * 2006-11-03 2008-05-08 Greenwald Michael B Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks
US20090055499A1 (en) * 2007-08-22 2009-02-26 International Business Machines Corporation Administration Of Time-Sensitive Email
US20120066500A1 (en) * 2010-07-07 2012-03-15 Siemens Aktiengesellschaft Method of Time Synchronization Communication
US20130347103A1 (en) * 2012-06-21 2013-12-26 Mark Veteikis Packet capture for error tracking
US20140043994A1 (en) * 2013-03-28 2014-02-13 Hcl Technologies Limited Providing Feedback To Media Senders Over Real Time Transport Protocol (RTP)
US8838817B1 (en) * 2007-11-07 2014-09-16 Netapp, Inc. Application-controlled network packet classification
US20140283030A1 (en) * 2013-03-15 2014-09-18 Centripetal Networks, Inc. Protecting networks from cyber attacks and overloading
US20150263966A1 (en) * 2014-03-11 2015-09-17 Anthony Blake Methods and apparatus for cycle accurate time stamping at line rate throughput
US20160006616A1 (en) * 2014-07-02 2016-01-07 Verizon Patent And Licensing Inc. Intelligent network interconnect
US20160043865A1 (en) * 2014-08-06 2016-02-11 The Government Of The United States Of America, As Represented By The Secretary Of The Navy System and method for authenticating a network time protocol (ntp)
US20160099964A1 (en) * 2014-10-01 2016-04-07 Ciena Corporation Systems and methods to detect and defend against distributed denial of service attacks
US9413783B1 (en) * 2014-06-02 2016-08-09 Amazon Technologies, Inc. Network interface with on-board packet processing
US20160239267A1 (en) * 2015-02-18 2016-08-18 Nxp B.V. Modular multiplication using look-up tables
US9542554B1 (en) * 2014-12-18 2017-01-10 Palo Alto Networks, Inc. Deduplicating malware
US20170201537A1 (en) * 2016-01-08 2017-07-13 Belden, Inc. Method and protection apparatus to prevent malicious information communication in ip networks by exploiting benign networking protocols
US9805193B1 (en) * 2014-12-18 2017-10-31 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US20180041471A1 (en) * 2014-11-19 2018-02-08 Nippon Telegraph And Telephone Corporation Control device, border router, control method, and control program
US20180054475A1 (en) * 2016-08-16 2018-02-22 Microsoft Technology Licensing, Llc Load balancing system and method for cloud-based network appliances
US20180131717A1 (en) * 2016-11-10 2018-05-10 Electronics And Telecommunications Research Institute Apparatus and method for detecting distributed reflection denial of service attack
US20180139228A1 (en) * 2016-11-11 2018-05-17 Juniper Networks, Inc. Apparatus, system, and method for protecting against denial of service attacks using one-time cookies
US20180205476A1 (en) * 2014-07-16 2018-07-19 Zte Corporation Time synchronization method,programmable logic device,single board and network element
US20190020658A1 (en) * 2016-01-07 2019-01-17 Genetec Inc. Network sanitization for dedicated communication function and edge enforcement
US20190132071A1 (en) * 2016-04-14 2019-05-02 Nippon Telegraph And Telephone Corporation Sensor synchronization method, sensor data acquisition terminal, and sensor network system
US20190132931A1 (en) * 2016-04-21 2019-05-02 Philips Lighting Holding B.V. Systems and methods for verifying credentials

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7657934B2 (en) * 2002-01-31 2010-02-02 Riverbed Technology, Inc. Architecture to thwart denial of service attacks
US7383577B2 (en) * 2002-05-20 2008-06-03 Airdefense, Inc. Method and system for encrypted network management and intrusion detection
US8966270B2 (en) * 2006-12-29 2015-02-24 Alcatel Lucent Methods and systems for providing controlled access to the internet
US20110083179A1 (en) * 2009-10-07 2011-04-07 Jeffrey Lawson System and method for mitigating a denial of service attack using cloud computing
US20120198541A1 (en) * 2011-02-02 2012-08-02 Reeves Randall E Methods and apparatus for preventing network intrusion
KR20140008237A (en) * 2012-07-10 2014-01-21 한국전자통신연구원 Packet transmission and reception apparatus and method in mmt hybrid transmissing service
US9350706B1 (en) * 2013-03-15 2016-05-24 Centurylink Intellectual Property Llc Network traffic data scrubbing with services offered via anycasted addresses
WO2016035083A2 (en) * 2014-09-06 2016-03-10 Andriani Matthew Non-disruptive ddos testing
US20160127408A1 (en) * 2014-10-31 2016-05-05 NxLabs Limited Determining vulnerability of a website to security threats
WO2017079412A1 (en) * 2015-11-03 2017-05-11 Axiom, Inc. Methods and apparatus for system having denial of services (dos) resistant multicast
KR102462830B1 (en) * 2016-03-02 2022-11-04 한국전자통신연구원 Apparatus and Method of Detecting the Distributed Reflection Denial of Service Attack based on the Flow Information
US10171493B2 (en) * 2016-03-05 2019-01-01 Sears Brands, L.L.C. Method and system to dynamically obfuscate a web services interface
US11277439B2 (en) * 2016-05-05 2022-03-15 Neustar, Inc. Systems and methods for mitigating and/or preventing distributed denial-of-service attacks
US10992536B2 (en) * 2016-08-15 2021-04-27 At&T Intellectual Property I, L.P. Method and apparatus to control anycast traffic using a software defined network controller
CN106534209B (en) * 2016-12-29 2017-12-19 广东睿江云计算股份有限公司 A kind of method and system for shunting reflection-type DDOS flows
GB201704931D0 (en) * 2017-03-28 2017-05-10 Indigovision Ltd Monitoring devices and methods for IP surveillance networks
US10587621B2 (en) * 2017-06-16 2020-03-10 Cisco Technology, Inc. System and method for migrating to and maintaining a white-list network security model
US10547715B2 (en) * 2017-06-16 2020-01-28 Cisco Technology, Inc. Event generation in response to network intent formal equivalence failures
US10819685B2 (en) * 2018-03-02 2020-10-27 Futurewei Technologies, Inc. Lightweight secure autonomic control plane

Patent Citations (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030145231A1 (en) * 2002-01-31 2003-07-31 Poletto Massimiliano Antonio Architecture to thwart denial of service attacks
US7339886B2 (en) * 2002-08-16 2008-03-04 Lg Electronics, Inc. System and method for synchronizing SGSNs and a GGSN
US20040095926A1 (en) * 2002-10-25 2004-05-20 General Instrument Corporation Method for monitoring performance of network using IP measurement protocol packets
US20070268938A1 (en) * 2006-05-19 2007-11-22 Dowd Gregory Louis Network time protocol precision timestamping service
US20080109891A1 (en) * 2006-11-03 2008-05-08 Greenwald Michael B Methods and apparatus for delivering control messages during a malicious attack in one or more packet networks
US20090055499A1 (en) * 2007-08-22 2009-02-26 International Business Machines Corporation Administration Of Time-Sensitive Email
US8838817B1 (en) * 2007-11-07 2014-09-16 Netapp, Inc. Application-controlled network packet classification
US20120066500A1 (en) * 2010-07-07 2012-03-15 Siemens Aktiengesellschaft Method of Time Synchronization Communication
US20130347103A1 (en) * 2012-06-21 2013-12-26 Mark Veteikis Packet capture for error tracking
US20140283030A1 (en) * 2013-03-15 2014-09-18 Centripetal Networks, Inc. Protecting networks from cyber attacks and overloading
US20140043994A1 (en) * 2013-03-28 2014-02-13 Hcl Technologies Limited Providing Feedback To Media Senders Over Real Time Transport Protocol (RTP)
US20150263966A1 (en) * 2014-03-11 2015-09-17 Anthony Blake Methods and apparatus for cycle accurate time stamping at line rate throughput
US9413783B1 (en) * 2014-06-02 2016-08-09 Amazon Technologies, Inc. Network interface with on-board packet processing
US20160006616A1 (en) * 2014-07-02 2016-01-07 Verizon Patent And Licensing Inc. Intelligent network interconnect
US20180205476A1 (en) * 2014-07-16 2018-07-19 Zte Corporation Time synchronization method,programmable logic device,single board and network element
US20160043865A1 (en) * 2014-08-06 2016-02-11 The Government Of The United States Of America, As Represented By The Secretary Of The Navy System and method for authenticating a network time protocol (ntp)
US20160099964A1 (en) * 2014-10-01 2016-04-07 Ciena Corporation Systems and methods to detect and defend against distributed denial of service attacks
US20180041471A1 (en) * 2014-11-19 2018-02-08 Nippon Telegraph And Telephone Corporation Control device, border router, control method, and control program
US9542554B1 (en) * 2014-12-18 2017-01-10 Palo Alto Networks, Inc. Deduplicating malware
US9805193B1 (en) * 2014-12-18 2017-10-31 Palo Alto Networks, Inc. Collecting algorithmically generated domains
US20160239267A1 (en) * 2015-02-18 2016-08-18 Nxp B.V. Modular multiplication using look-up tables
US20190020658A1 (en) * 2016-01-07 2019-01-17 Genetec Inc. Network sanitization for dedicated communication function and edge enforcement
US20170201537A1 (en) * 2016-01-08 2017-07-13 Belden, Inc. Method and protection apparatus to prevent malicious information communication in ip networks by exploiting benign networking protocols
US20190132071A1 (en) * 2016-04-14 2019-05-02 Nippon Telegraph And Telephone Corporation Sensor synchronization method, sensor data acquisition terminal, and sensor network system
US20190132931A1 (en) * 2016-04-21 2019-05-02 Philips Lighting Holding B.V. Systems and methods for verifying credentials
US20180054475A1 (en) * 2016-08-16 2018-02-22 Microsoft Technology Licensing, Llc Load balancing system and method for cloud-based network appliances
US20180131717A1 (en) * 2016-11-10 2018-05-10 Electronics And Telecommunications Research Institute Apparatus and method for detecting distributed reflection denial of service attack
US20180139228A1 (en) * 2016-11-11 2018-05-17 Juniper Networks, Inc. Apparatus, system, and method for protecting against denial of service attacks using one-time cookies

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112615870A (en) * 2020-12-22 2021-04-06 北京天融信网络安全技术有限公司 Method and device for detecting attack behavior based on NTP message data
CN112953956A (en) * 2021-03-05 2021-06-11 中电积至(海南)信息技术有限公司 Reflection amplifier identification method based on active and passive combination

Also Published As

Publication number Publication date
US10868828B2 (en) 2020-12-15

Similar Documents

Publication Publication Date Title
US10097578B2 (en) Anti-cyber hacking defense system
US11601456B2 (en) Transparent inspection of traffic encrypted with perfect forward secrecy (PFS)
Deshmukh et al. Understanding DDoS attack & its effect in cloud environment
US8245300B2 (en) System and method for ARP anti-spoofing security
Whyte et al. DNS-based Detection of Scanning Worms in an Enterprise Network.
US7266754B2 (en) Detecting network denial of service attacks
Wong et al. A survey of trends in massive DDoS attacks and cloud-based mitigations
US8856913B2 (en) Method and protection system for mitigating slow HTTP attacks using rate and time monitoring
US10057213B2 (en) Examining and controlling IPv6 extension headers
US9253153B2 (en) Anti-cyber hacking defense system
US20070245417A1 (en) Malicious Attack Detection System and An Associated Method of Use
US11811820B2 (en) Malicious C and C channel to fixed IP detection
US10868828B2 (en) Mitigation of NTP amplification and reflection based DDoS attacks
US20060248186A1 (en) Network management and administration
US11503471B2 (en) Mitigation of DDoS attacks on mobile networks using DDoS detection engine deployed in relation to an evolve node B
Ahmad et al. A countermeasure mechanism for fast scanning malware
Zhou et al. Limiting self-propagating malware based on connection failure behavior
US20230328107A1 (en) Systems and methods for controlling access to an unadvertised cloud-based resource
Tupakula et al. Analysis of traceback techniques
Ahmad Early detection and containment of network worm
WO2023060881A1 (en) Method and apparatus for identifying source address of message
TWI702510B (en) Method and device for finding amalicious encrypted connection fingerprint
US20230396648A1 (en) Detecting ddos attacks by correlating inbound and outbound network traffic information
Mishra et al. A systematic survey on DDoS attack and data confidentiality issue on cloud servers
Sagatov et al. Countering DNS Amplification Attacks Based on Analysis of Outgoing Traffic

Legal Events

Date Code Title Description
AS Assignment

Owner name: FORTINET, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JAIN, HEMANT KUMAR;REEL/FRAME:045279/0566

Effective date: 20180319

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE